Post event, AMS runs an investigation review process for all security incidents. And, AMS initiates a correction of error (COE) process to address security incidents caused by a system or a procedural miss that plausibly has room for improvement. AMS partners with you to continuously-improve security investigation experience. The COE process helps AMS identify the contributing factors of customer-impacting events and connects those causes to next actions items that can prevent similar events from recurring, or helps mitigate the duration or level of impact.
The investigation review process for security incidents addresses the following items to identify opportunities for improvement:
What was the elapsed time from the beginning of the incident to incident discovery, to the initial impact assessment, and to each stage of the incident handling process (for example, containment, recovery)?
How long did it take the incident response team to respond to the initial report of the incident?
How long did it take to do an initial impact analysis?
Was this preventable and how? Is there a tool or process that could have prevented this?
Could we have detected this sooner and how?
What could have made the investigation go faster?
Were the documented Incident Response Procedures followed? Were they adequate?
Was the information sharing with other stakeholders done in a timely manner How could it be improved?
Was the collaboration with other teams (AWS Security, account teams, AWS Development team and customer security team's) effective? If not, what could be improved?
What preparation steps were missing that might have helped, escalation matrices, RACI’s, shared responsibility models, and so on? Is there a need to update any Runbooks?
What was the difference between the initial impact assessment and the final impact assessment? What can we do to improve accuracy of assessments earlier in the incident response?
What are the Action Items from the Lessons Learned?
